taken from 2.6.6 --- apache2/msc_multipart.c 2011-07-18 17:35:27.000000000 +0000 +++ apache2/msc_multipart.c.oden 2012-12-23 17:45:32.000000000 +0000 @@ -20,6 +20,32 @@ #include "msc_util.h" #include "msc_parsers.h" +void validate_quotes(modsec_rec *msr, unsigned char *data) { + int i, len; + + if(msr == NULL) + return; + + if(msr->mpd == NULL) + return; + + if(data == NULL) + return; + + len = strlen(data); + + for(i = 0; i < len; i++) { + + if(data[i] == '\'') { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes", + log_escape_nq(msr->mp, data), len); + } + msr->mpd->flag_invalid_quoting = 1; + } + } +} + #if 0 static char *multipart_construct_filename(modsec_rec *msr) { @@ -155,6 +181,9 @@ static int multipart_parse_content_dispo /* evaluate part */ if (strcmp(name, "name") == 0) { + + validate_quotes(msr, value); + if (msr->mpd->mpp->name != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition name: %s", log_escape_nq(msr->mp, value)); @@ -169,6 +198,9 @@ static int multipart_parse_content_dispo } else if (strcmp(name, "filename") == 0) { + + validate_quotes(msr, value); + if (msr->mpd->mpp->filename != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition filename: %s", log_escape_nq(msr->mp, value)); @@ -187,7 +219,18 @@ static int multipart_parse_content_dispo while((*p == '\t') || (*p == ' ')) p++; /* the next character must be a zero or a semi-colon */ if (*p == '\0') return 1; /* this is OK */ - if (*p != ';') return -12; + if (*p != ';') { + p--; + if(*p == '\'' || *p == '\"') { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes", + log_escape_nq(msr->mp, p), strlen(p)); + } + msr->mpd->flag_invalid_quoting = 1; + } + p++; + return -12; + } p++; /* move over the semi-colon */ }